[PATCH] Audit filter rule operators (2/2)

Timothy R. Chavez tinytim at us.ibm.com
Mon Oct 24 16:13:34 UTC 2005 

On Friday 21 October 2005 18:24, Dustin Kirkland wrote:
> This is the kernel space component of this patch.
> 
> This patch defines the bitmask values of each of the 6 comparators (and
> includes a nice documentation chart explaning how they were chosen).
> 
> It also adds a new function, audit_comparator(left, op, right).  This
> function will perform the specified comparison (op, which defaults to
> "==" for backward compatibility) between two values (left and right).
> If the negate bit is on, it will negate whatever that result was.  This
> value is returned.

I just have one nit/comment below, Dustin.

<snip>
> diff -urpbBN linux-2.6.14-rc4/include/linux/audit.h
> linux-2.6.14-rc4-audit_ops/include/linux/audit.h
> --- linux-2.6.14-rc4/include/linux/audit.h	2005-10-19 09:40:27.000000000 -0500
> +++ linux-2.6.14-rc4-audit_ops/include/linux/audit.h	2005-10-21 18:05:43.000000000 -0500
> @@ -128,8 +128,29 @@
>  #define AUDIT_ARG2      (AUDIT_ARG0+2)
>  #define AUDIT_ARG3      (AUDIT_ARG0+3)
>  
> -#define AUDIT_NEGATE    0x80000000
> +/* These are the supported operators.
> +        4  2  1
> +        >  <  =
> +        -------
> +        0  0  0         0       undef
> +        0  0  1         1       =
> +        0  1  0         2       <
> +        0  1  1         3       <=
> +        1  0  0         4       >
> +        1  0  1         5       >=
> +        1  1  0         6       !=
> +        1  1  1         7       range
> + */
> +#define AUDIT_OPERATORS			0xF0000000
> +#define AUDIT_EQUAL			0x10000000
> +#define AUDIT_LESS_THAN			0x20000000
> +#define AUDIT_LESS_THAN_OR_EQUAL	0x30000000
> +#define AUDIT_GREATER_THAN		0x40000000
> +#define AUDIT_GREATER_THAN_OR_EQUAL	0x50000000
> +#define AUDIT_NOT_EQUAL			0x60000000
> +#define AUDIT_RANGE			0x70000000
>  
> +#define AUDIT_NEGATE			0x80000000
>  
>  /* Status symbols */
>  				/* Mask values */
> diff -urpbBN linux-2.6.14-rc4/kernel/auditsc.c linux-2.6.14-rc4-audit_ops/kernel/auditsc.c
> --- linux-2.6.14-rc4/kernel/auditsc.c	2005-10-19 09:40:29.000000000 -0500
> +++ linux-2.6.14-rc4-audit_ops/kernel/auditsc.c	2005-10-21 18:08:32.000000000 -0500
> @@ -385,6 +385,36 @@ int audit_receive_filter(int type, int p
>  	return err;
>  }
>  
> +static int audit_comparator(const u32 left, const u32 operator, const u32 right)
> +{
> +	int rc;
> +	switch (operator) {
> +		case AUDIT_LESS_THAN:
> +			rc = (left < right);
> +			break;
> +		case AUDIT_LESS_THAN_OR_EQUAL:
> +			rc = (left <= right);
> +			break;
> +		case AUDIT_GREATER_THAN:
> +			rc = (left > right);
> +			break;
> +		case AUDIT_GREATER_THAN_OR_EQUAL:
> +			rc = (left >= right);
> +			break;
> +		case AUDIT_NOT_EQUAL:
> +			rc = (left != right);
> +			break;
> +		case AUDIT_EQUAL:
> +		default:
> +			rc = (left == right);
> +			break;
> +	}

Do we really want to default undefined operations to AUDIT_EQUAL.  I'd expect an error.

-tim

More information about the Linux-audit mailing list